AUTHOREA
Log in Sign Up Browse Preprints

Alec Aivazis edited If_you_wanted_to_add__.html  over 8 years ago

Commit id: 50b6f183fd86c0bfb9513dc318be7c89901bf015

deletions | additions      

       

  • If you wanted to add it to some kind of store that was accessible to the developer console (like redux) then we could not prevent them from easily modifying the data. However, hope is not lost. We can let them modify the data so long as we have some way of invalidating it afterwards.
  • In that case, we need some way of comparing it to a known valid state corresponding to the logged in user which we create when the user logs in and verifying that it is the same
    • That known reference would also be wrapped in a closure to prevent the malicious user from setting globally availible data and then changing the value of the comparison variable to match the new data.
  • In 
    • In  most cases, to achieve persistence, an additional request is required when the user logs in which decrypts the JWT. The server would respond with the authentication information which is in turn stored locally. This data is protected by the above algorithm since changing the value of the data used to authenticate invalidates it when comparing to the source of truth.
    • Authenticating the current user for the role admin then looks something like return isEqual(currentAuthInfo, sourceOfTruth) && intersection(auth.roles, targetRoles)).length > 0